<metaname="description"content="NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument."/>
<metaproperty="og:description"content="NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument."/>
{"description":"NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument.","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://blog2.newsblur.com/assets/newsblur_logo_512.png"}},"url":"https://blog2.newsblur.com/","headline":"The NewsBlur Blog","@type":"WebSite","name":"The NewsBlur Blog","@context":"https://schema.org"}</script>
<p>I’d like to answer a few questions about what happened here.</p>
<ol>
<li>Was any data leaked during the hack? How do you know?</li>
<li>How did NewsBlur’s MongoDB server get hacked?</li>
<li>What will happen to ensure this doesn’t happen again?</li>
</ol>
<p>Let’s start by talking about the importance of your data. As you may know, NewsBlur is open source and enjoys the added protection of having thousands of people looking at the codebase and dozens contributing back to it.</p>
<h3id="1-was-any-data-leaked-during-the-hack-how-do-you-know">1. Was any data leaked during the hack? How do you know?</h3>
<p>I can definitively write that no data was leaked during the hack. I know this because of two different sets of logs showing that the automated attacker only issued deletion commands and did not transfer any data off of the MongoDB server.</p>
<p>This is what the day looks like. This 24 graph of bandwidth shows:</p>
<p>You can imagine the stress I experienced in the forty minutes between 9:35p, when the hack began, and 10:15p, when the fresh backup snapshot was identified and put into gear.</p>
<ol>
<li><strong>6:10p</strong>:</li>
<li><strong>9:35p</strong>:</li>
<li><strong>10:15p</strong>:</li>
<li><strong>3:00a</strong>:</li>
<li><strong>4:30a</strong>:</li>
</ol>
<h3id="2-how-did-newsblurs-mongodb-server-get-hacked">2. How did NewsBlur’s MongoDB server get hacked?</h3>
<p>It would make for a much more dramatic read if I was hit through a vulnerability in Docker instead of a footgun.</p>
<divclass="language-plaintext highlighter-rouge"><divclass="highlight"><preclass="highlight"><code>nbset:PRIMARY> show dbs
READ__ME_TO_RECOVER_YOUR_DATA 0.000GB
admin 0.000GB
local 16.471GB
newsblur 0.718GB
nbset:PRIMARY> use READ__ME_TO_RECOVER_YOUR_DATA
switched to db READ__ME_TO_RECOVER_YOUR_DATA
nbset:PRIMARY> show collections
README
system.profile
nbset:PRIMARY> db.README.find()
{ "_id" : ObjectId("60d3e112ac48d82047aab95d"), "content" : "All your data is a backed up. You must pay 0.03 BTC to XXXXXXFTHISGUYXXXXXXX 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com or https://buy.moonpay.io/ After paying write to me in the mail with your DB IP: FTHISGUY@recoverme.one and you will receive a link to download your database dump." }
</code></pre></div></div>
<p>Looking at the MongoDB access logs, we can invoke a pretty neat command to find everybody who is not one of the 100 known NewsBlur machines that has accessed MongoDB.</p>
<divclass="language-plaintext highlighter-rouge"><divclass="highlight"><preclass="highlight"><code>$ cat /var/log/mongodb/mongod.log | egrep -v "159.65.XX.XX|161.89.XX.XX|<< SNIP: A hundred more servers >>"
2021-06-24T01:33:45.531+0000 I NETWORK [listener] connection accepted from 171.25.193.78:26003 #63455699 (1189 connections now open)
2021-06-24T01:34:08.018+0000 I COMMAND [conn63456637] dropDatabase config - starting
2021-06-24T01:34:08.018+0000 I COMMAND [conn63456637] dropDatabase config - dropping 1 collections
2021-06-24T01:34:08.018+0000 I COMMAND [conn63456637] dropDatabase config - dropping collection: config.transactions
2021-06-24T01:34:08.020+0000 I STORAGE [conn63456637] dropCollection: config.transactions (no UUID) - renaming to drop-pending collection: config.system.drop.1624498448i1t-1.transactions with drop optime { ts: Timestamp(1624498448, 1), t: -1 }
2021-06-24T01:34:08.029+0000 I REPL [replication-14545] Completing collection drop for config.system.drop.1624498448i1t-1.transactions with drop optime { ts: Timestamp(1624498448, 1), t: -1 } (notification optime: { ts: Timestamp(1624498448, 1), t: -1 })
2021-06-24T01:34:08.030+0000 I STORAGE [replication-14545] Finishing collection drop for config.system.drop.1624498448i1t-1.transactions (no UUID).
2021-06-24T01:34:08.030+0000 I COMMAND [conn63456637] dropDatabase config - successfully dropped 1 collections (most recent drop optime: { ts: Timestamp(1624498448, 1), t: -1 }) after 7ms. dropping database
2021-06-24T01:34:08.032+0000 I REPL [replication-14546] Completing collection drop for config.system.drop.1624498448i1t-1.transactions with drop optime { ts: Timestamp(1624498448, 1), t: -1 } (notification optime: { ts: Timestamp(1624498448, 5), t: -1 })
2021-06-24T01:34:08.041+0000 I COMMAND [conn63456637] dropDatabase config - finished
2021-06-24T01:34:08.398+0000 I COMMAND [conn63456637] dropDatabase newsblur - starting
2021-06-24T01:34:08.398+0000 I COMMAND [conn63456637] dropDatabase newsblur - dropping 37 collections
<< SNIP: It goes on for a while... >>
2021-06-24T01:35:18.840+0000 I COMMAND [conn63456637] dropDatabase newsblur - finished
</code></pre></div></div>
<p>What you see above…</p>
<p>When I visited the IP address of the <ahref="http://185.220.101.6/">two</a><ahref="http://171.25.193.78/">connections</a> above, I found a Tor exit router:</p>
<p><imgsrc="/assets/hack-tor.png"/></p>
<h3id="3-what-will-happen-to-ensure-this-doesnt-happen-again">3. What will happen to ensure this doesn’t happen again?</h3>
<p>For a point release this one sure is big. The Android app has been upgraded to include a bunch of features found on the web.</p>
<p>For one, premium subscriptions can now be purchased in the Android app itself. Reading by folder, saved story tags, searching and saved searches are all premium features that you can unlock directly in the app.</p>
<p>Also, saved searches are now at the bottom of your feed list. Take a look:</p>
<p>Heres’ the full list of version 10.1’s many new features:</p>
<ul>
<li>Premium subscriptions are now available on Android! Read by folder, saved story tags, searching, and more is exclusive to premium subscribers.</li>
<li>Saved searches</li>
<li>In-app browser, so you don’t need to leave NewsBlur</li>
<li>Auto-theme option for dark mode so it can turn on automatically at night</li>
<li>You can now delete and rename folders and add a folder while adding a feed</li>
<li>Fixed issues around the intelligence trainer, HTML in comments, some images not loading</li>
</ul>
<p>If you would like to request a new feature on Android, please submit an idea on the <ahref="https://forum.newsblur.com">NewsBlur Forum</a>. We’re prioritizing the next big release and would love to hear your input.</p>
<p>The grid view has quickly become one of my go-to story title views. It provides generous, clickable boxes with enlarged images and plenty of preview text. But until now, they were limited to a preset height.</p>
<p>Starting today, you can now change the height of stories in the grid view. You have five options to choose from: XS, Small, Medium, Large, and XL.</p>
<p>When you’re reading a story and want to save a portion of it for personal use, you now have a couple new options. Highlighting is now available for all stories. Simply select the text you want to highlight and NewsBlur helpfully shows a tooltip that allows you to select a part of the text and save it.</p>
<p>You can enrich your reading experience with highlights and come back to passages you want to remember. All stories with highlights are tagged as “Highlights” in your Saved Story tags list. That way you can immediately come back to your highlights.</p>
<p>Second, you can now also write private notes to yourself. If you’re doing research and want to remember why a particular story is being saved, the private notes text box can save your thoughts without having to share them with the world.</p>
<p>A few other small changes have been added to this feature. You can also save stories and tag them from any website using the bookmarklet (which you can install under Manage > Goodies > Bookmarklet).</p>
<p>The origins for this theme came from the community. Originally started by <ahref="https://userstyles.org/styles/86275/newsblur-kemwer-black">Kemwer in 2013</a>, it has been maintained and updated by <ahref="https://userstyles.org/styles/124890/newsblur-dark-theme-by-splike">Splike since 2014</a>. In fact, you can still use Splike’s theme as an alternate dark mode.</p>
<p>That’s 7 years of NewsBlur having an unofficial dark mode, but users had to jump through hoops to use it: installing a browser extension (which had a <ahref="https://news.ycombinator.com/item?id=17447816">malware scare in 2018</a>) or having to copy the Stylish CSS to NewsBlur’s Account settings where it would need to be manually updated. What NewsBlur needed was having it built in.</p>
<p>Today NewsBlur is shipping first-class support. Building a dark theme requires more than inverting the existing color scheme, turning white to black and green to purple. Quite a bit of thought around UX and information hierarchy went into this dark theme design. I also used this as an opportunity to freshen up icons and small visual details on both light and dark themes.</p>
<p>Now we have a consistent dark theme across all of the first-party apps. The <ahref="https://blog.newsblur.com/2021/06/21/2014-11-18-offline-reading-and-a-dark-theme-on-the-android.html">Android app had dark mode first in 2014</a>. Then came the <ahref="https://blog.newsblur.com/2021/06/21/2016-04-12-newsblur-goes-dark-on-ios.html">iOS app is 2016</a>. Now we’re firmly in 2020 and it’s made it to the web. Goes to show that NewsBlur is always getting better.</p>
<p>If you like the new features we’ve been releasing recently, I would greatly appreciate if you could share a tweet or Facebook post about NewsBlur. <strong>If you enjoy staying connected with culture and news through NewsBlur and you think your friends and followers would too, let them know about your news reader of choice.</strong> I appreciate all the kind comments that have come in since releasing this new theme.</p>
<blockquote>
<p>In love 🥰 with the new dark theme of <ahref="https://twitter.com/NewsBlur?ref_src=twsrc%5Etfw">@NewsBlur</a> ! Kudos <ahref="https://twitter.com/samuelclay?ref_src=twsrc%5Etfw">@samuelclay</a> 👍</p>
<p>— Jean Traullé (@jtraulle) <ahref="https://twitter.com/jtraulle/status/1275814360141701120?ref_src=twsrc%5Etfw">June 24, 2020</a></p>
<p>Hot on the heels of the <ahref="https://blog.newsblur.com/2021/06/21/2020-02-26-catch-the-news-in-a-glimpse-with-the-new-newsblur.html">iOS widget release</a> a few months ago, the Android widget is now ready to go!</p>
<p>Ideally both iOS and Android widgets would have been released at the same time. But now that we have a new Android developer, <ahref="https://github.com/sictiru">Andrei Dan</a>, we’ve built the widget and are planning many more new features for Android.</p>
<p>Everything I wrote for the iOS release holds for today’s Android widget:</p>
<p>> Most of the time when we release a new feature, it finds immediate use. But every so often a new feature comes along that changes how NewsBlur gets used. I consider offline stories part of this exclusive club. Same with the Text view, which shows you the full text of a story. And push notifications are right up there.</p>
<p>If you’re like me and you rely on your phone for your news consumption, having stories handy every time you look at your phone changes your relationship to NewsBlur.</p>
<p>Most of the time when we release a new feature, it finds immediate use. But every so often a new feature comes along that changes how NewsBlur gets used. I consider offline stories part of this exclusive club. Same with the Text view, which shows you the full text of a story. And push notifications are right up there.</p>
<p>Today, I’m pleased to announce the launch of our new Today View widget on iOS.</p>
<p>Instead of having to open up the app to see what’s new, the stories come to you in the Today View, adjacent to the notification center. Personally I find myself checking this Today View widget a dozen times more than I open the NewsBlur app. It’s so incredibly useful to have NewsBlur come to me.</p>
<p>Additionally, in version 10.0 of the iOS app, we have a bunch of new features:</p>
<ul>
<li>A new iOS widget shows the latest stories in your Notification Center and on your iPad dashboard</li>
<li>Statistics visualization for every site</li>
<li>Automatic downloading of the original story full text for offline reading</li>
<li>Unsubscribe from a feed directly from a story</li>
<li>Preferences import & export</li>
</ul>
<p>And tons of bugs were fixed along with other small improvements:</p>
<ul>
<li>Fixed crash on start for a few users</li>
<li>Fixed highlighting issue</li>
<li>Fixed settings with stories on bottom</li>
<li>Tweaked dark theme colors to be darker</li>
<li>Fixed wonky behavior on iPad</li>
<li>Clearing offline now clears the cached stories, text, and images from the database</li>
<li>Manually changing the theme now turns off the preference to follow the system appearance</li>
<li>Turning on following the system appearance immediately updates the theme appropriately</li>
<li>Fixed crash on feed load list</li>
<li>Fixed crash on start</li>
</ul>
<p>And if you’re an Android user, I just want you to know that we intended to ship this feature first on Android (and in fact, it is 90% built) but then our Android developer bailed. I’ll be hiring for another Android devleoper soon, but if that interests you, <ahref="mailto:samuel@newsblur.com">please reach out</a>!</p>
<p>There are two ways to connect to the NewsBlur website. The first is <em>http</em>://www.newsblur.com. The second is <em>https</em>://www.newsblur.com. The first is plain text and the second is encrypted. You get to choose which one you want to use.</p>
<p>Part of the draw of using an encrypted https connection instead of a plain text http connection is that you can protect your privacy. As far as I can tell, there are two reasons for preferring https over http.</p>
<p>One is that using an encrypted https connection to NewsBlur protects what you read from hackers or a man-in-the-middle changing your data as it comes to you. This could be your internet service provider (ISP) inserting ads or it could be snooping wifi router that you are connected to that injects malware into your content. Some companies have been known to do this and https protects you.</p>
<p>But the second reason is that your privacy is also protected from more benign, aggregate collections by ISPs and middlemen that sees what you read and sells that data. NewsBlur doesn’t sell any of your data and beginning this week NewsBlur can ensure that nobody other than you and the site you read can either.</p>
<p>The feature that is launching this week (it actually launched Monday in order for me to ensure that it works well) is a secure image proxy for all images served on NewsBlur. That means that NewsBlur will take any images that isn’t behind an encrypted https connection and proxies it behind NewsBlur’s own secure, encrypted connection.</p>
<p>You should notice next to no difference. The only difference you may notice is that some images may load <em>faster</em>, since NewsBlur has a thicker pipe to the Internet and can download data faster than your client browser can, which means that your persistent connection to NewsBlur’s servers takes over instead of having to make new connections with the associated overhead to various servers around the net.</p>
<p>Now you can turn on the SSL setting on the NewsBlur Web and ensure your data stays private.</p>
<p>And to answer the question of why you wouldn’t wan t to use https — it used to mean serving and loading pages over https gave a slight performance hit, but that’s no longer true. But some people use http because it will load images from both http and https websites, whereas loading NewsBlur via https means that you can only load images via https, as loading an image via http will throw up a Mixed Content Warning. This update addresses that issue and it is my hope that http-only will be phased out.</p>
<p>There’s also many smaller fixes that improve the polish of the app:</p>
<ul>
<li>If you had a slow connection, some stories would take a while to draw while images were downloaded. Now they show immediately</li>
<li>Support for larger iPad Pros</li>
<li>Suport for iOS 13</li>
<li>Fixes for split mode on iPad</li>
<li>Fixes for marking stories as read while scrolling the story titles list</li>
<li>Fixes for navigating stories with an external keyboard</li>
<li>Fixes for scroll performance on the feed list and the story titles list</li>
<li>Fixes for sharing stories accidentally having double titles in emails and messages</li>
</ul>
<p>Thanks to <ahref="https://github.com/dejal">David Sinclair</a> for putting together this release. Keep up the great work! And if you have ideas for what you’d like to see in the next NewsBlur iOS release, please, please, please <ahref="https://forum.newsblur.com/c/idea">submit them to the forum</a>.</p>
<p>Today we have a nice update, version 9.0, of the Android app that includes a rewrite of the story management backend as well as fixes for some critical display issues.</p>
<p>Here’s the full list of changes for version 9.0:</p>
<ul>
<li>Fixes black background for stories while reading with the Light theme.</li>
<li>Total rewrite of the backend story management platform. This fixes the oldest issues known in story paging and scroll state. The story rivers should now act like dynamic views instead of static lists.</li>
<li>New feature: renaming feeds directly in the app.</li>
<li>Improved messaging and display behavior for the original text view.</li>
<li>Fixes for the dark theme’s menu color.</li>
<li>Many other bug fixes and performance tweaks.</li>
</ul>
<p>I’d also like to introduce our newest developer, <ahref="https://github.com/caleb-allen">Caleb Allen</a>.</p>
<p>Caleb will be working on the Android app. Our Android developer Daniel spent the last 5 years with us working many, many versions of the NewsBlur app. I want to thank Daniel for his years of service and we wish him well on his next adventure. And here’s hoping for many fruitful years with Caleb!</p>
<divclass="footer-col footer-col-1"><ulclass="social-media-list"><li><ahref="https://github.com/samuelclay"><svgclass="svg-icon"><usexlink:href="/assets/minima-social-icons.svg#github"></use></svg><spanclass="username">samuelclay</span></a></li><li><ahref="https://www.twitter.com/newsblur"><svgclass="svg-icon"><usexlink:href="/assets/minima-social-icons.svg#twitter"></use></svg><spanclass="username">newsblur</span></a></li><li><ahref="mailto:blog@newsblur.com?subject=Hello from the NewsBlur blog"><svgclass="svg-icon"><usexlink:href="/assets/minima-social-icons.svg#email"></use></svg><spanclass="username">blog@newsblur.com</span></a></li></ul>
</div>
<divclass="footer-col footer-col-3">
<p>NewsBlur is a personal news reader that brings people together to talk about the world.<br/>
